CVE-2012-6621

Name of the Vulnerable Software and Affected Versions GetSimple CMS versions 3.1, 3.1.2, 3.2.3, and earlier

Description The issue allows remote attackers to inject arbitrary web script or HTML via several fields and parameters, including the Email Address and Custom Permalink Structure fields in admin/settings.php, the path parameter to admin/upload.php, the err parameter to admin/theme.php, the error parameter to admin/pages.php, and the success or err parameters to admin/index.php.

Recommendations For GetSimple CMS versions 3.1, 3.1.2, 3.2.3, and earlier, consider disabling the affected fields and parameters until a patch is available. Restrict access to the admin/settings.php, admin/upload.php, admin/theme.php, admin/pages.php, and admin/index.php pages to minimize the risk of exploitation. Avoid using the Email Address and Custom Permalink Structure fields in admin/settings.php, and the path, err, error, success parameters in the respective API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.